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(54) Enhanced encryption control system for a mail processing system having data center 
verification 



(57) A key control system comprises the generation 
of a first set of predetermined keys Kp^ which 
used as master keys for a plurality of respective 
meters (12). The keys are then related to a respective 
meter (12) in accordance with a map or algorithm. The 
predetermined master key Kp^ is encrypted with the 
date to yield a date dependent key Km related to the 
respective meter (12). The date dependent key is 
encrypted with a unique identifier or the respective 
meter to yield a unique key that is by the respec- 
tive meter to generate digital tokens. The Data Center 
(16) encrypts the date with each predetermined key 
Kp^j to yield a table of dependent keys K^'s. The table 
of Kaa's are distributed to verification sites. The verifica- 
tion site reads a meter's identification from a mailptece 
being verified to obtain the dependent key of the 
meter (12). The verification side (34) encrypts the 
dependent key K*) with the unique identifier to obtain 
the unique meter key which is used to verify tokens gen- 
erated by the meter (12). In the preferred embodiment 
the master key Kp^. the date dependent key and 
the unique key K^,. in the meter are stored in the 
meter. In the alternate embodiment the master key 
Kprod is encrypted with a unique meter identifier to 
obtain and the unique key which is stored in the 
meter (12). The meter then generates its date depend- 
ent key K^d, which is used to generate digital tokens. 




Fie, i 




in 



1 



EP0840 258A2 



2 



Description 



The invention relates to mail processing systems 
and methods and more particularly to security of post- 
age metering systems. 

Recent advances in digital printing technology have 
made it possible to implement digital, i.e.. bit map 
addressable, printing for the purpose of evidencing pay- 
ment of postage by a postage-meter-like device. Where 
necessary in order to distinguish such postage-meter- 
like devices from the typical postage meter, such 
devices will be called herein Postage Evidencing 
Devices or PED's. In such devices, the printer may be a 
typical stand-alone printer. The computer driven printer 
of such a PED can print the postal indicia in a desired 
location on the face of a mail piece. Further, as used 
herein the postal indicia will be defined as the Postal 
Revenue Block or PRB. The PRB typically contains data 
such as the postage value a unique PED identification 
number, the date and in some applications the name of 
the place where the mail is originating. It must be noted, 
however that the term postage meter as used herein will 
be understood to cover the various types of postage 
accounting systems inducing such PED's and is not to 
be limited by the type of printer used. 

Rom the Post Office's point of view, it will be appre- 
ciated that a serious problem associated with PED's is 
that the digital printing makes it fairly easy to counterfeit 
the PRB since any suitable computer and printer may 
be used to generate multiple images. In fact many of 
these new PED systems may be using printers that are 
able to print legitimate indicia which are indistinguisha- 
ble from those printed by others that are printed without 
any attempt to purchase postage. 

In order to validate a mailpiece. that is to assure 
that accounting for the postage amount printed on a 
mailpiece has been properly done, it is known that one 
may include as a part of the franking an encrypted 
nurrt>er such that tor instance the value of the franking 
may be determined from the encryption to learn 
whether the value as printed on the mailpiece is correct 
See for exarrple, U.S. Patent Nos. 4.757,537 and 
4,775.246 to Edelmann et at as well as U.S. Patent No. 
4 649 266 to Eckert It is also known to authenticate a 
mailpiece by inducing the address as a further part of 
the encryption as described in U.S. Patent No. 
4,725.718 to Sansone et al and U.S. Patent No. 
4,743,747 to Fougere et al. 

U.S. Patent No. 5.170.044 to Pastor descnbes a 
system wherein include a binary array and the actual 
arrays of pixels are scanned in order to identify .th<? pro- 
vider of the mailpiece and to recover other encrypted 
plaintext information. U.S. Patent No. 5,142.577 to Pas- 
tor describes various alternatives to the DES encoding 
for encrypting a message and for comparing the 
decrypted postal information to the plaintext information 
on the mailpiece. 

U.K. 2,251 .210A to Gilham describes a meter that 



contains an electronic calendar to inhibit operation of 
the franking machine on a periodic basis to ensure that 
the user conveys accounting information to the postal 
authorities. U.S. Patent No. 5.008,827 to Sansone et al, 
5 describes a system for updating rates and regulation 
parameters at each meter via a communication network 
between the meter and a data center. While the meter is 
on-line status registers in the meter are checked and an 
alarm condition raised if an anomaly is detected. 

U.S. Patent No. 5.390.251 to Pastor et al. describes 



TO , 

a mail processing system for controlling the validity of 
printing of indida on mailpieces from a potentially large 
number of users of postage meters includes apparatus 
disposed in each postage meter for generating a code 
is end for printing the code on each mailpiece. The code is 
an encrypted representation of the postage meter appa- 
ratus printing the indida and other information uniquely 
determinative of the legitimacy of postage on the mail- 
pieces. The keys for the code generating apparatus are 
20 changed at predetermined time intervals in each of the 
meters. A security center indudes apparatus for main- 
taining a security code database and for keeping track 
of the keys for generating security codes in correspond- 
ence with the changes in each generating apparatus 
25 and the information printed on the mailpiece by the 
postage meter apparatus for comparison with the code 
printed on the maflpiece. There may be two codes 
printed, one used by the Postal Service for its security 
checks and one by the manufacturer. The encryption 
30 key may be changed at predetermined intervals or on a 
daily basis or for printing each mailpiece. 

It will be appreciated that in order to verify the infor- 
mation in the PRB using the encrypted message, the 
verifier must first be able to obtain the key used by the 
35 particular meter. In trying to deal with mailing systems 
which may incorporate such encryption systems, it must 
be recognized that the meter population is large and 
subject to constant fluctuation as meters are added and 
removed from service. If the same key were to be used 
40 tor all meters, the key distribution is simple but the sys- 
tem is not secure. Once the code is broken by anyone, 
the key may be made available to others using the sys- 
tem and the entire operation is compromised. However, 
if separate keys are used respectively for each meter 
45 then key management potentially becomes extremely 
diff icult considering the fluctuations in such a large pop- 
ulation. 

European Patent Publication No. 0647924, filed 
October 7, 1994. and assigned to the assignee of the 
so instant application, descrfees a key management sys- 
tem tor mail processing that assigns one of a set of pre- 
determined keys by a determined relationship to a 
particular meter, effectively allowing multiple meters to 
share a single key. The key management system 
55 indudes the generation of a first set of keys which are 
then used for a plurality of respective postage meters A 
first key of the first set of key is then related to a specific 
meter in accordance with a map or algorithm. The first 
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key may be changed by entering a second key via an 
encryption using the first key. 

It has been found that although the system 
described in European Patent Publication No. 0647924 
previously noted and hereafter referred to a the "1000 s 
key system" provides a manageable key management 
system, the system has multiple meters sharing the 
same key. 

It is therefore an object of the invention to provide a 
key management system which provides the improved 10 
security 1000 key system and yet which will allow ease 
of key management in a very large system. 

It is another object to provide a method tor easily 
changing the keys for each meter in a manner that pro- 
vides irrproved security and system wide tracking of the is 
key changes. 

In accordance with the present invention, a key 
control system comprises the generation of a first set of 
predetermined keys which are then used as mas- 
ter keys for a plurality of respective postage meters. The 20 
keys are then related to a respective meter in accord- 
ance with a map or algorithm. The predetermined mas- 
ter key Kproj is encrypted with the date to yield a date 
dependent key Kdd related to the respective meter. The 
date dependent key is encrypted with a unique identifier 25 
of the respective meter to yield a unique key that is 
used by the respective meter to generate digital tokens. 
The Data Center encrypts the date with each predeter- 
mined key Kpred to yield a table of dependent keys 
K^s. The table of fWs are distributed to verification 30 
sites. The verification site reads a meter's identification 
from a mailpiece being verified to look tp the dependent 
key ^ of the frorn the distributed table. The ver- 
ification site encrypts the dependent key Kdd with the 
unique identifier to obtain the unique meter key which is 35 
used to verify tokens generated by the meter. 

In a preferred embodiment the method in accord- 
ance with the invention further comprises the steps of 
storing the master key K^, the date dependent key 
Kdd. and the unique key K^j , in the meter. *o 

In an alternate embodiment the master key Kp^ *$ 
encrypted with a unique meter identifier to obtain the 
unique key which is stored in the meter. The meter 
then generates its date dependent key which is 
used to generate digital tokens. <s 

The above and other objects and advantages of the 
present invention will be apparent upon consideration of 
the following detailed description taken in conjunction 
with accompanying drawings, in which like reference 
characters refer to like parts throughout and in which: so 



mation shown in Fig. 2a and 2b; 

Rg. 4 is a flow chart of the operation for providing 

keys in accordance with an embodiment of the 

invention; 

Rg. 5 is a flow chart of meter operation in accord- 
ance with the preferred embodiment of the present 
invention; 

Rg. 6 is a flow chart of meter operation in accord- 
ance with an alternate embodiment of the present 
invention; 

Rg. 7 is a flow chart of data center operation in 
accordance with the preferred embodiment of the 
present invention; 

Rg. 8 is a flow chart of the verification process; 
Rg. 9 is a block diagram of the preferred embodi- 
ment of the present invention; and 
Rg. 10 is a block diagram of an alternate embodi- 
ment of the present invention. 

In Rg. 1, there is shown generally at 10 an overall 
system in accordance with an embodiment of the inven- 
tion. In the embodiment illustrated, the system com- 
prises a meter or PEO 12 interacting with a plurality of 
different centers. A first center is a well-known meter- 
fund resetting center 14 of a type described, for exam- 
ple, in U.S. Patent No. 4,097.923 which is suitable for 
remotely adding funds to the meter to enable H to con- 
tinue the operation of dispensing value bearing indicia. 
In accordance with an embotiment of the invention 
there is also established a security or forensic center 16 
which may of course be physically located at the reset- 
ting center 14 but is shown here separately for ease of 
understanding. Alternatively, such a security or forensic 
center could be an entirely separate faci&ty maintained 
by the Postal Authorities, for instance or two separate 
facilities may be maintained in order to provide levels of 
security, if desired. The dashed lines in Rg. 1 indicate 
telecommunication between the meter 12 and the reset- 
ting center 14 (and/or forensic center 16). 

Typically there may be an associated meter distri- 
bution center 18 which is utilized to simplify the logistics 
of placing meters with respective users. Similarly, a 
business processing center 20 is utiized for the pur- 
pose of processing orders tor meters and for administra- 
tion of the various tasks relating to the meter population 
as a whole. 

The meter manufacturer indicated at 22 provides 
customized meters or PED's to the distribution center 
18 after establishing operabiity with shop checks 
between the manufacturer and the resetting center 14 
and forensic center 16. The meter or PED is unlocked at 
the user's facility by a customer service representative 
indicated here by the box 24. 

At the resetting center 14 a database 26 relating to 
meters and meter transactions is maintained. The reset- 
ting combinations are generated by a secured appara- 
tus labeled here as the Black Box 28. The details of 
such a resetting arrangement are found in U.S. Patent 



Fig. 1 . is a schematic view of a system which may 
be used in accordance with an embodiment of the 
invention; 

Rgs. 2a and 2b illustrates the information which ss 
may be printed in a first embodiment of a PRB in 
accordance with an embodiment of the invention; 
Figs. 3a and 3b illustrate an alternative to the infor- 
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No 4 097.923, herewith specifically incorporated by ref- 
erence herein, and will not be further described here. 

Database 30 and a secured encryption generating 
apparatus, designated here as Orange Box 32. are 
maintained at the security or forensic center 16. The 
orange box preferably uses the DES standard encryp- 
tion techniques to provide a coded output based on the 
Keys and other information in the message string pro- 
vided to it. It will be understood that other encryption 
arrangements are Known and the invention is not limited 
to the specific embodiment using DES encryption. The 
security or forensic center 16. wherever maintained, is 
preferably connected by telecommunication with any 
Post Office inspection station, one of which is indicated 
here at 34. 

Further details are to be found in European Patent 
Publication No. 0647924. previously noted and specifi- 
cally incorporated by reference herein. 

Meter 12. as illustrated, includes a secure clock 40 
that is used to provide a calendar function programmed 
by the manufacturer. The clock and calendar function 
cannot be modified by the user. Such docks are well 
known and may be implemented in computer routines or 
in dedicated chips which provide programmable calen- 
dar outputs. Also stored within the registers of the meter 
12 are a fund resetting key 42. security key 44. expira- 
tion dates 46 and preferably, an inscription enable flag 
48 Preferably, in order to prevent the breaking of the 
encrypted messages to be printed by the postage 
meter, the security key 44 is changed at predetermined 
intervals as discussed below. 

The security key 44 is used in conjunction with a 
DES encrypter in the meter 12 to provide an encryption 
of certain information in the PRB for each printing of the 
PRB on a mailpiece. At each printing operation, the 
entire encrypted message may be printed on the mail- 
piece. However, preferably the cipher, hereafter referred 
to herein as an ECODE (also referred to as a digital 
token) is a truncated ctphertext produced by DES 
encryption of the message based on postage informa- 
tion available to the meter. Verification at the security 
center consists of verifying that the encrypted informa- 
tion is consistent with the ECODE. 

If automatic checking of the ECODE is desired, 
both the ECODE and the plaintext must be machine 
readable. A typical length of plaintext information is, for 
example only and not by way of limitation, the sum of 
the meter ID (typically 7 digits), a date (preferably 2 dig- 
its suitably the last 2 of the number of days from a pre- 
determined starting date such as January 1). the 
postage amount (4 digits) . and the piece count for a typ- 
ical total of 1 6 digits. Reading devices fa lifting the infor- 
mation either from a bar-code on the mailpiece or as 
OCR are well-known and will not be further discussed. 

A DES block is conventionally 64-bits long, or 
approximately 20 decimal digits. A cipher btock is an 
encryption of 64 bits of data. It win be appreciated that 
other information may be selected and that less than the 



information provided here may be encrypted in other 
embodiments of the invention, ft is however important to 
note that the information to be encrypted must be iden- 
tical to that used in verif ication. To this end the plaintext 
5 message may include data which indicates the particu- 
lar information which is encrypted. This may take the 
form of an additional character, additional bar coding or 
a marking on the mailpiece as may be found desirable. 
If desired, a second ECOOE could be printed using 
to a DES key from a set of keys PS-DES known to the 
Postal Service. Alternatively the Postal Service could 
elect to manage its own set of keys as described in con- 
nection with the key management system described 
below. 

is In a first embodiment, as shown in Figs. 2a and 2b. 
the plaintext is encrypted using one of the keys from 
PS-DES. The Postal Service uses the same key from 
the set PS-DES to verify the message. A higher level of 
security is provided by the second ECODE. 
so ma second embodiment two ECODEs are gener- 
ated and printed on the mailpiece. one using a PS-DES 
key provided by the Post Service and the other using a 
Vendor-DES key provided, for example, by the manufac- 
turer or security center. The Postal Service can then 
25 verify the message using its own code generating and 
key management system while the vendor can sepa- 
rately verify the validrty of the message using the 
ECODE generated using its separate key system. Figs. 
3a and 3b show the format of this second embodiment 
so Fig. 4 shows an arrangement for managing meter 
master keys as disclosed in European Patent Publica- 
tion No 0647924. previously noted. First a large, fixed 
set of predetermined keys K^'s is generated, at step 
400 As seen below, the system S in accordance wrth 
35 the invention comprises a set of pointers {p}, a set of 
keys indexed by the pointer (keypj and a map F or gen- 
erating algorithm from the set of meter ID'S {M} to the 
set of pointers. Thus: 

S = ( F. {p}. keyp} ) is the system 

40 F:{M)->(P) 
and 

F(M)«F(meter ID) = p 
finds the pointer to the key for a given meter M. 

Thus, retumng to Fig. 4. as an example, the set of 
45 pointers {p} which may be the integers from 1 to 1000, 
are created from meter parameters, at step 405. The 
function F may be then chosen as, again for example, 
the DES encryption of meter ID using a DES key K. 
preferably truncated to three digits, at step 410 and a 
» look-up table is generated, at step 41 5. « will be under- 
stood that other functional relationships may be chosen. 
The look-up table comprises a set of meter ID'S and 
their assigned pointers. For the greatest security, it will 
be appreciated that the relationship between a pointer p 
55 and the corresponding key should not be easily discov- 
erable nor should the relationship between the pointer 
and the meter ID. It will also be understood that the 
function F should be maintained in secret 
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Referring now to Figs. 5 and 9, the preferred 
embodiment of the present invention is shown. At step 
420. using the meter ID of a specific meter in the look- 
up table, the corresponding is stored in the meter. 
At step 430. a date dependent key is generated 
from the predetermined key Kp red by encrypting the 
date with Kp red to yield the for the meter. At step 
435. a unique meter identifier, such as a meter serial 
number, is encrypted with the date dependent key 
to produce a unique key K^i tor the meter. The meter 
generates digital tokens using its unique key Kf^. 

Referring now to FIGs. 6 and 10, an alternate 
embodiment of the meter operation is shown. At step 
470, a unique meter identifier, such as a meter serial 
number, is encrypted with the predetermined mast©" 
key Kpred to YfeU a unique key K^i for the meter. The 
unique meter key is stored in the meter at step 
475. Kf is used to generate a date dependent key 
in the meter by encrypting the date with Kf ^ to produce 
date dependent key K^. 

Referring now to Fig. 7, the data center operation 
fa the preferred embodiment is shown. At step 450, the 
date is encrypted with each predetermined master key 
Kp^j to yield a table of date dependent keys Kdd's. At 
step 455. the data center distributes the table of K^'s to 
each of the verification sites for use in verifying digital 
tokens generated by the meters. 

Referring now to Fig. 8. a verification process is 
shown using the key management system in accord- 
ance with an embodiment of the present invention. In 
order to verify a mailpiece. the meter ID number printed 
on the mailpiece is read at step 500. At step 510, using 
the meter ID number a date dependent key is found 
in the table of K^ s tfstrtxrted by the data center. The 
key is found using the lookup table or algorithm F from 
the given meter number. At step 515, the identical 
unique meter data that was used by the meter to obtain 
the meter's unique key K^, is encrypted with the date 
dependent key K*,. At step 520. the identical plaintext 
information used to create the ECODE is now encrypted 
at the security center using K^, and the result is com- 
pared with the code printed on the mailpiece, at step 
530. H there is a match at decision at step 540, the mail- 
piece is valid. If not the NO branch will trigger an alarm. 

Returning for the moment to Fig. 2a and Fig. 3a, the 
Postal Service is able in these embodiments to obtain 
the PS-DES pointer directly from the indicia without 
using the process shown in Fig. 8. In the cases illus- 
trated in Figs. 2b and 3b. the DES pointer is obtained by 
using a predetermined algorithm applied to the informa- 
tion printed in the PED ID as described in connection 
with Fig. 8. 

While the present invention has been disclosed and 
descrfced with reference to the embodiments disclosed 
herein, it will be apparent that variations and modifica- 
tions may be made therein. It is thus, intended in the fol- 
lowing claims to cover each variation and mocffication 
that falls within the true spirit and scope of the present 



invention. 
Claims 

5 1. A method for key management for controlling the 
keys used in encoding information to be printed on 
a mailpiece for validating the mailpiece, the method 
comprising the steps of : 

w generating a plurality of keys K to obtain a fixed 

key set Kp^.,,); 

assigning one of said plurality of keys Kp red to a 
particular postage meter M (12) by means of a 
determined relationship associated with the 

is postage meter (12), said relationship being 

derived as a predetermined function F(M) cor- 
respondng to the particular postage meter; 
encrypting said assigned key Kp^ with a date 
to obtain an assigned date dependent key K^; 

so and 

combining the assigned date dependent key 
Keg with information unique to the particular 
postage meter M uni to produce a final key 
for the particular postage meter M, such that 

25 IWffKdd. Muni)- 

2. The method of claim 1 wherein said determined 
relationship associated with the postage meter is a 
pointer p associated with the particular postage 

30 meter M, said pointer p being derived as a function 
F(M) corresponcSng to predetermined parameters 
of the particular postage meter M. 

3. The method of daim 1 or 2 further comprising the 
35 steps of: 

encrypting a date with each Kp^ in said fixed 
key set Kp^.^ to yield a table of date 
dependent keys K^.^; and 
40 distributing said table of date dependent keys 

Kdd(i-n) to verification sites. 

4. A method for key management for controlling the 
keys used in encoding information to be printed on 

45 a mailpiece for validating the mailpiece, the method 
comprising the steps of: 

generating a plurality of keys K to obtain a fixed 
keysetKp^^n); 

so assigning one of said plurality of keys Kp^ to a 

particular postage meter M by means of a 
determined relationship associated with the 
postage meter, said relationship being derived 
as a predetermined function F(M) correspond - 

55 ing to the particular postage meter; 

combining the assigned key Kp^ with informa- 
tion unique to the particular postage meter M un , 
to produce a final key for the particular 



9 



EP0840 258A2 



10 



postage meter M, such that K^ptO^, M^); 
and 

storing said final key in the particular 
postage meter M. 

5. The method of claim 4 further comprising the steps 

of: 

encrypting said final key K^ with a date to 
obtain a date dependent key for the partic- io 
ular meter M; and 

storing said date dependent key in the par- 
ticular meter M. 

6. The method of claim 4 or 5 wherein said deter- is 
mined relationship associated with the postage 
meter is a pointer p associated with the particular 
postage meter M, said pointer p being derived as a 
function F(M) corresponding to predetermined 
parameters of the particular postage meter M . so 

7. A method for key management for controlling the 
keys used in encoding information to be printed on 
a maitpiece for validating the mailpiece. the method 
comprising the steps of: 25 

generating a plurality of keys K to obtain a fixed 
key set K pred( i-n); 

assigning one of said plurality of keys Kp^ to a 
particular postage meter M by means of a 30 
determined relationship associated with the 
postage meter, said relationship being derived 
as a predetermined function F(M) correspond- 
ing to the particular postage meter; 
installing the assigned key Kp red in the partial- 35 
lar postage meter M; 

encrypting said assigned key Kp^d with a date 
to obtain an assigned date dependent key K^; 
and 

containing the date dependent key with 40 
information unique to the particular postage 
meter to produce a final key K^i for the 
particular postage meter M. such that Kf h 

nal s KK<H» Muni)- 

45 

8. A method for key management for controlling the 
keys used in the verification of encoded information 
to be printed on a mailpiece. the method compris- 
ing the steps of : 

sc 

generating a plurality of keys K to obtain a fixed 
key set K pred{1 

encrypting a date with each in said fixed 
key set Kpcodp-n) to yield a table of date 
dependent keys K*i(i-n): * 
distributing said table of date dependent keys 
K^vn) t0 verification sites; 
reading plaintext information printed on a mail- 



piece, said plaintext information including a 
meter ID identifying a particular postage meter 
M; 

finding a date dependent key Kdd correspond- 
ing to the particular postage meter M by means 
of a determined relationship associated with 
the postage meter, said relationship being 
derived as a predetermined function of said 
meter ID; 

encrypting said meter ID with said date 
dependent key to obtain a final key K^; 
encrypting at least some part of the plaintext 
information using said final key K final to obtain a 
code; 

comparing said code with encoded information 
printed on the mailpiece; and 
validating the mailpiece when said code 
matches said encoded information. 

A system for key management for controlling the 
keys used in encoding information to be printed on 
a mailpiece for validating the mailpiece, comprising: 

means for generating a plurality of keys K to 
obtain a fixed key set K pr#d ( 1 . n) ; 
means for assigning one of sad plurality of 
keys to a particular postage meter M (12) 
by means of a determined relationship associ- 
ated with the postage meter (12). said relation- 
ship being derived as a predetermined function 
F(M) corresponding to the particular postage 
meter; 

means for encrypting said assigned key Kpred 
with a date to obtain an assigned date depend- 
ent key Kdd: and 

means for combining the assigned date 
dependent key Kdd with information unique to 
the particular postage meter M uni to produce a 
final key K^, for the particular postage meter 
M, such that IW*f(Kdd. Muni)- 

, A system for key management for controlling the 
keys used in encoding information to be printed on 
a mailpiece for validating the mailpiece, comprising: 

means for generating a plurality of keys K to 
obtain a fixed key set Kp rad(1 . n ); 
means for assigning one of said plurality of 
keys Kprod to a particular postage meter M by 
means of a determined relationship associated 
with the postage meter, said relationship being 
derived as a predetermined function F(M) cor- 
responding to the particular postage meter; 
means for combining the assigned key Kp^d 
with information unique to the particular post- 
age meter M uni to produce a final key K^, for 
the particular postage meter M, such that K^. 
^(Kdd.Munifcand 
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means for storing said final key in the par- 
ticular postage meter M. 
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(54) Enhanced encryption control system for a mail processing system having data center 
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(57) A key control system comprises the generation 
of a first set of predetermined keys Kp^ which are then 
used as master keys for a plurality of respective postage 
meters (12). The keys are then related to a respective 
meter (12) in accordance with a map or algorithm. The 
predetermined master key Kp^ is encrypted with the 
date to yield a date dependent key related to the 
respective meter (12). The date dependent key is 
encrypted with a unique identifier or the respective 
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tive meter to generate digital tokens. The Data Center 
(16) encrypts the date with each predetermined key 
Kpced to yield a table of dependent keys K^'s. Trie table 
of Kdd's are distributed to verification sites. The verifica- 
tion site reads a meter's identification from a mailpiece 
being verified to obtain the dependent key of the 
meter (12). The verification side (34) encrypts the 
dependent key K&j with the unique identifier to obtain 
the unique meter key which is used to verify tokens gen- 
erated by the meter (12). In the preferred embodiment 
the master key Kp^, the date dependent key K^, and 
the unique key K^, in the meter are stored in the 
meter. In the alternate embodiment the master key 
Kp^ is encrypted with a unique meter identifier to 
obtain and the unique key which is stored in the 
meter (12). The meter then generates its date depend- 
ent key Key* which is used to generate digital tokens. 
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